Use normal responses instead of nextresponse

bcbogdan · bcbogdan · commit ea95af2799a8 · 2025-02-21T11:42:48.000+02:00
diff --git a/examples/with-next-ssr-app-directory/app/components/home.tsx b/examples/with-next-ssr-app-directory/app/components/home.tsx
@@ -30,8 +30,7 @@ export async function HomePage() {
                     </div>
                     <div className={styles.innerContent}>
                         <div>Your userID is:</div>
-                        {/* <div className={`${styles.truncate} ${styles.userId}`}>{session.userId}</div> */}
-                        <div className={`${styles.truncate} ${styles.userId}`}>sadsa</div>
+                        <div className={`${styles.truncate} ${styles.userId}`}>{session.userId}</div>
                         <CallAPIButton />
                     </div>
                 </div>
diff --git a/lib/ts/nextjs/middleware.ts b/lib/ts/nextjs/middleware.ts
@@ -1,6 +1,6 @@
 import { enableLogging, logDebugMessage } from "../logger";
 
-import type { NextRequest, NextResponse, SuperTokensNextjsConfig } from "./types";
+import type { NextRequest, SuperTokensNextjsConfig, SuperTokensRequestToken } from "./types";
 
 const ACCESS_TOKEN_COOKIE_NAME = "sAccessToken";
 const ACCESS_TOKEN_HEADER_NAME = "st-access-token";
@@ -9,14 +9,30 @@ const FRONT_TOKEN_HEADER_NAME = "front-token";
 const REFRESH_TOKEN_COOKIE_NAME = "sRefreshToken";
 const REFRESH_TOKEN_HEADER_NAME = "st-refresh-token";
 const ANTI_CSRF_TOKEN_COOKIE_NAME = "sAntiCsrf";
+const ANTI_CSRF_TOKEN_HEADER_NAME = "anti-csrf";
 
 let AppInfo: SuperTokensNextjsConfig["appInfo"];
 
-export async function refreshSession(
-    config: SuperTokensNextjsConfig,
-    request: NextRequest,
-    response: NextResponse
-): Promise<NextResponse> {
+// export function superTokensMiddleware(config: SuperTokensNextjsConfig, request: NextRequest, response: NextResponse) {
+//     AppInfo = config.appInfo;
+//     if (config.enableDebugLogs) {
+//         enableLogging();
+//     }
+//     const url = new URL(request.url);
+//     if (url.pathname === "/auth/session/refresh") {
+//         return refreshSession(request, response);
+//     }
+//
+//     // Save the current path so that we can use it during SSR
+//     // Used to redirect the user to the correct path after login/refresh
+//     return response.next({
+//         headers: {
+//             "x-current-path": url.pathname,
+//         },
+//     });
+// }
+
+export async function refreshSession(config: SuperTokensNextjsConfig, request: NextRequest): Promise<Response> {
     AppInfo = config.appInfo;
     if (config.enableDebugLogs) {
         enableLogging();
@@ -25,43 +41,73 @@ export async function refreshSession(
         request.cookies.get(REFRESH_TOKEN_COOKIE_NAME)?.value || request.headers.get(REFRESH_TOKEN_HEADER_NAME);
     if (!refreshToken) {
         logDebugMessage("Refresh token not found");
-        return redirectToAuthPage(request, response);
+        return redirectToAuthPage(request);
     }
 
     try {
         const tokens = await fetchNewTokens(refreshToken);
-        if (!tokens.accessToken || !tokens.refreshToken || !tokens.frontToken) {
+        const hasRequiredCookies = tokens.accessToken.cookie && tokens.refreshToken.cookie && tokens.frontToken.cookie;
+        const hasRequiredHeaders = tokens.accessToken.header && tokens.refreshToken.header && tokens.frontToken.header;
+        if (!hasRequiredCookies && !hasRequiredHeaders) {
             logDebugMessage("Missing tokens from refresh response");
-            return redirectToAuthPage(request, response);
+            return redirectToAuthPage(request);
         }
 
         const currentUrl = new URL(request.url);
         const redirectUrl = new URL(currentUrl.searchParams.get("redirectTo") || "/", request.url);
-        const finalResponse = response.redirect(redirectUrl);
-        finalResponse.headers.set("x-current-path", redirectUrl.pathname);
-        // @ts-expect-error TS(2345) It complains about tokens being null although we check for that in the previous if condition
-        attachTokensToResponse(finalResponse, tokens);
+        const finalResponse = new Response(null, {
+            status: 307,
+            headers: {
+                Location: redirectUrl.toString(),
+                "x-current-path": redirectUrl.pathname,
+                "x-st-ssr-session-refresh-attempt": "0",
+            },
+        });
+        if (hasRequiredCookies) {
+            finalResponse.headers.append(
+                "set-cookie",
+                `${tokens.accessToken.cookie as string},${tokens.refreshToken.cookie as string},${
+                    tokens.frontToken.cookie as string
+                }`
+            );
+            finalResponse.headers.append("x-middleware-set-cookie", tokens.accessToken.cookie as string);
+            finalResponse.headers.append("x-middleware-set-cookie", tokens.refreshToken.cookie as string);
+            finalResponse.headers.append("x-middleware-set-cookie", tokens.frontToken.cookie as string);
+        }
+        if (hasRequiredHeaders) {
+            finalResponse.headers.append(REFRESH_TOKEN_HEADER_NAME, tokens.refreshToken.header as string);
+            finalResponse.headers.append(ACCESS_TOKEN_HEADER_NAME, tokens.accessToken.header as string);
+            finalResponse.headers.append(FRONT_TOKEN_HEADER_NAME, tokens.frontToken.header as string);
+            if (tokens.antiCsrfToken.header) {
+                finalResponse.headers.append(ANTI_CSRF_TOKEN_HEADER_NAME, tokens.antiCsrfToken.header);
+            }
+        }
         logDebugMessage("Attached new tokens to response");
         return finalResponse;
     } catch (err) {
         logDebugMessage("Error refreshing session");
         logDebugMessage(err as unknown as string);
-        return redirectToAuthPage(request, response);
+        return redirectToAuthPage(request);
     }
 }
 
-function redirectToAuthPage(request: NextRequest, response: NextResponse): NextResponse {
+function redirectToAuthPage(request: NextRequest): Response {
     const authPagePath = AppInfo.websiteBasePath || "/auth";
     const redirectUrl = new URL(authPagePath, request.url);
     logDebugMessage(`Redirecting to: ${redirectUrl}`);
-    return response.redirect(redirectUrl);
+    return new Response(null, {
+        status: 307,
+        headers: {
+            Location: redirectUrl.toString(),
+        },
+    });
 }
 
 async function fetchNewTokens(currentRefreshToken: string): Promise<{
-    accessToken: string | null;
-    refreshToken: string | null;
-    frontToken: string | null;
-    antiCsrf: string | null;
+    accessToken: SuperTokensRequestToken;
+    refreshToken: SuperTokensRequestToken;
+    frontToken: SuperTokensRequestToken;
+    antiCsrfToken: SuperTokensRequestToken;
 }> {
     const refreshApiURL = new URL(`${AppInfo.apiBasePath}/session/refresh`, AppInfo.apiDomain);
     const refreshResponse = await fetch(refreshApiURL, {
@@ -73,55 +119,38 @@ async function fetchNewTokens(currentRefreshToken: string): Promise<{
         credentials: "include",
     });
     logDebugMessage("Session refresh request completed");
-    const frontToken = refreshResponse.headers.get("front-token");
-
-    let accessToken: string | null = null;
-    let refreshToken: string | null = null;
-    let antiCsrf: string | null = null;
+    const frontToken: SuperTokensRequestToken = {
+        header: refreshResponse.headers.get("front-token"),
+        cookie: `${FRONT_TOKEN_COOKIE_NAME}=${refreshResponse.headers.get("front-token")}; Path=/`,
+    };
+    const accessToken: SuperTokensRequestToken = {
+        header: refreshResponse.headers.get(ACCESS_TOKEN_HEADER_NAME),
+        cookie: null,
+    };
+    const refreshToken: SuperTokensRequestToken = {
+        header: refreshResponse.headers.get(REFRESH_TOKEN_HEADER_NAME),
+        cookie: null,
+    };
+    const antiCsrfToken: SuperTokensRequestToken = {
+        header: refreshResponse.headers.get(ANTI_CSRF_TOKEN_HEADER_NAME),
+        cookie: null,
+    };
 
     // getSetCookie was added in node 18 and our build target is ES5
     // This should not a problem here since the function runs in the Vercel edge runtime environment
     // @ts-expect-error TS(2339): Property 'getSetCookie' does not exist on type 'Headers'.
     const setCookieHeaders = refreshResponse.headers.getSetCookie();
-    if (!setCookieHeaders.length) {
-        return { accessToken, refreshToken, frontToken, antiCsrf };
-    }
-
     for (const header of setCookieHeaders) {
         if (header.includes(ACCESS_TOKEN_COOKIE_NAME)) {
-            accessToken = getCookieValue(header, ACCESS_TOKEN_COOKIE_NAME);
+            accessToken.cookie = header;
         }
         if (header.includes(REFRESH_TOKEN_COOKIE_NAME)) {
-            refreshToken = getCookieValue(header, REFRESH_TOKEN_COOKIE_NAME);
+            refreshToken.cookie = header;
         }
         if (header.includes(ANTI_CSRF_TOKEN_COOKIE_NAME)) {
-            antiCsrf = getCookieValue(header, ANTI_CSRF_TOKEN_COOKIE_NAME);
+            antiCsrfToken.cookie = header;
         }
     }
 
-    return { accessToken, refreshToken, frontToken, antiCsrf };
-}
-
-function attachTokensToResponse(
-    response: NextResponse,
-    tokens: { accessToken: string; refreshToken: string; frontToken: string; antiCsrf: string | null }
-) {
-    response.headers.append("set-cookie", `${ACCESS_TOKEN_COOKIE_NAME}=${tokens.accessToken}`);
-    response.headers.append(ACCESS_TOKEN_HEADER_NAME, tokens.accessToken);
-    response.cookies.set(ACCESS_TOKEN_COOKIE_NAME, tokens.accessToken);
-    response.headers.append("set-cookie", `${REFRESH_TOKEN_COOKIE_NAME}=${tokens.refreshToken}`);
-    response.headers.append(REFRESH_TOKEN_HEADER_NAME, tokens.refreshToken);
-    response.cookies.set(REFRESH_TOKEN_COOKIE_NAME, tokens.refreshToken);
-    response.headers.append("set-cookie", `${FRONT_TOKEN_COOKIE_NAME}=${tokens.frontToken}`);
-    response.headers.append(FRONT_TOKEN_HEADER_NAME, tokens.frontToken);
-    response.cookies.set(FRONT_TOKEN_COOKIE_NAME, tokens.frontToken);
-    if (tokens.antiCsrf) {
-        response.headers.append("set-cookie", `${ANTI_CSRF_TOKEN_COOKIE_NAME}=${tokens.antiCsrf}`);
-        response.cookies.set(ANTI_CSRF_TOKEN_COOKIE_NAME, tokens.antiCsrf);
-    }
-}
-
-export function getCookieValue(header: string, name: string): string | null {
-    const match = header.match(new RegExp(`${name}=([^;]+)`));
-    return match ? match[1] : null;
+    return { accessToken, refreshToken, frontToken, antiCsrfToken };
 }
diff --git a/lib/ts/nextjs/ssr.ts b/lib/ts/nextjs/ssr.ts
@@ -17,7 +17,6 @@ const ACCESS_TOKEN_COOKIE_NAME = "sAccessToken";
 const ACCESS_TOKEN_HEADER_NAME = "st-access-token";
 const FRONT_TOKEN_NAME = "sFrontToken";
 const FRONT_TOKEN_HEADER_NAME = "front-token";
-// const ANTI_CSRF_HEADER_NAME = "anti-csrf";
 
 type SSRSessionState =
     | "front-token-not-found"
diff --git a/lib/ts/nextjs/types.ts b/lib/ts/nextjs/types.ts
@@ -41,3 +41,8 @@ export type SuperTokensNextjsConfig = {
     appInfo: AppInfoUserInput;
     enableDebugLogs?: boolean;
 };
+
+export type SuperTokensRequestToken = {
+    header: string | null;
+    cookie: string | null;
+};
